I just had the not so fun task of auditing some PHP code that had a lot of vulnerabilities. These were all MySQL injection type attacks. I had found them mostly because of the MySQL errors they generated in our logs. If you are writing PHP scripts and you are using MySQL you must sanitize your data! Never assume nobody will know. It is easy to find.

Here is an example, this script will look up widgets of certain category ID:

Unless you mean what is the difference between mysql_real_escape_string and mysql_escape_string. The difference is, the mysql_escape_string is deprecated and also mysql_real_escape_string takes a connection handler and escapes the string according to the current character set.

What I mean is the difference of function between intval() and mysql_real_escape_string(). Anyway quick search about intval() in google explain everything.

From what I learned mysql_real_escape_string() is good enough to sanitize ANY user input. I'm just worried that mysql_real_escape_string() function only works in certain condition.

Thanks

intval() will convert any data to an integer. So for example:

Code:

$variable = "I am some injected text";
echo intval($variable);

The output of this would be:

0

So if you are expecting a variable to be an integer such as a timestamp, or an ID #, pass it through intval and no matter what, it will always come out as a number. It eliminates any chance that variable has been injected with any SQL code. If you just used mysql_real_escape_string() you could still cause an error if MySQL is expecting an integer. This does not help you however when you NEED text. Then you use mysql_real_escape_string().

I am dealing with this right now and am tightening up the holes in my scripting. I'm using PHP to drive it and am wondering what method to use for this project, MySQLi or PDO. It's a subscription site for online ads, and uses PayPal so no SSL is needed on our end, but still important to protect the data of course! Would PDO be better suited or shall I just work out 100% sanitation methods?